Senior Application Security Analyst

Senior Application Security Analyst

Salary

$113,668.00 - $148,263.00 Annually

Location

Thurston County - Olympia, WA

Job Type

Full Time - Permanent

Job Number

1470

Department

Health Benefits Exchange

Opening Date

06/10/2026

• Description
• Benefits

Description

The mission of Washington Health Benefit Exchange (Exchange) is to radically improve how Washington residents secure health insurance through innovative and practical solutions, an easy-to-use customer experience, our values of integrity, respect, equity and transparency, and by providing undeniable value to the health care community.

The Exchange is a public-private partnership that operates Washington Healthplanfinder, the eligibility and enrollment portal used by one in four Washington residents to obtain health and dental coverage. Through this platform, and with support from a Customer Support Center and statewide network of in-person navigators and brokers, individuals and families can shop, compare and enroll in private, qualified health plans (as defined in the Affordable Care Act) or enroll in Washington Apple Health, the state Medicaid program.

The Exchange embraces the following equity statement adopted by our Board of Directors:

Equity is fundamental to the mission of the Washington Health Benefit Exchange. The process of advancing toward equity and becoming anti-racist is disruptive and demands vigilance to dismantle deeply entrenched systems of privilege and oppression. While systemic racism is a root cause of many societal inequities, we must also use an intersectional approach to address all forms of bias and oppression, which interact with and often exacerbate racial inequities. To be successful, we must recognize the socioeconomic drivers of health and focus on people and places where needs are greatest. As we listen to community, we must hold ourselves accountable to responding to recommendations to remedy inequitable policies, systems, or practices within the Exchange's area of influence. Our goal is that all Washingtonians have full and equal access to opportunities, power and resources to achieve their full potential.

SUMMARY

The Senior Application Security Analyst plays a key role in protecting WAHBE's data and applications by ensuring security controls are effectively integrated throughout the Software Development Lifecycle (SDLC) across both cloud and on-premises environments. Operating under the guidance of the Application Security Lead, this role serves as a senior technical contributor and collaborates closely with delivery teams, DevOps, architects, IT, and external partners to implement and sustain secure software development practices.

This position is responsible for executing application security assessments, threat modeling, and vulnerability management, while supporting risk assessments and ensuring alignment with WAHBE's security policies and regulatory requirements. The Senior Application Security Analyst helps drive the adoption and continuous improvement of the Secure Software Development Lifecycle (SSDLC) by integrating automated security controls, conducting code reviews, and promoting secure coding standards.

Key responsibilities include identifying and mitigating application security risks, supporting incident response activities, and providing actionable guidance to delivery teams for remediation. The role also contributes to strengthening overall application security posture by addressing emerging threats, supporting compliance efforts, and ensuring security best practices are consistently applied across the organization.

Duties

• Serve as a senior subject matter expert for application security across Microsoft Azure and cloud-native architectures including hybrid and multi-cloud environments
• Perform and coordinate application security assessments, code reviews to align with WAHBE security policies, industry standards (NIST, OWASP), and regulatory compliance (e.g., Centers for Medicare & Medicaid Services (CMS), Internal Revenue Service (IRS)), including API and microservices security assessments
• Support the implementation and continuous improvement of the Secure Software Development Lifecycle by integrating security controls and best practices into development and deployment processes
• Collaborate with the Delivery team, architects, DevOps engineers to embed security into all phases of the SDLC, including participation in threat modeling, security requirement reviews, and architecture discussions
• Review application and solution architectures to identify security weaknesses, attack surfaces, and insecure design patterns, and provide remediation recommendations
• Perform security design reviews for web applications, APIs, microservices, containers, and serverless technologies to ensure secure implementation practices are followed
• Develop, document, and enforce secure coding standards, secure design guidelines, and application security procedures to ensure consistent and secure development practices
• Enhance and lead the Application Security and Penetration Testing program, including performing security and penetration testing and integrating automated security testing into CI/CD pipelines to ensure continuous and effective validation of application security
• Conduct vulnerability triage, validation, and risk analysis using security tools, threat intelligence, and manual analysis, including false-positive review and remediation prioritization
• Track remediation activities for identified application vulnerabilities and work with development teams to ensure timely resolution or appropriate risk acceptance documentation
• Provide technical guidance for remediation planning and recommend compensating controls when immediate remediation is not feasible
• Support monitoring and reporting activities by preparing vulnerability metrics, remediation status updates, trend analysis, and risk reports for leadership and stakeholders
• Develop and deliver secure coding awareness sessions, technical guidance, and application security training materials for development and engineering teams
• Review Requests for Change (RFCs), product enhancements, and system modifications from a security perspective to ensure security impacts and requirements are addressed
• Continuously monitor the cloud and on-premise environment for security events, anomalies, and potential threats, and conduct thorough investigations to identify root causes and impacts, containment and recovery from security breaches, and preparation of incident reports, including post-incident analysis and lessons-learned
• Partner with Compliance, Risk Management, Audit, Infrastructure Security, and DevOps teams to support audits, regulatory compliance efforts, and secure cloud adoption initiatives
• Ensure procedures, processes and technologies align with WAHBE security policies and regulatory compliance (e.g., CMS, IRS)
• Work closely with delivery teams to ensure security requirements are factored into user stories and case development (including misuse, abuse, and confuse cases within Agile methodology)
• Assess the security posture of new enterprise solutions to be procured by identifying security risk and providing secure cloud adoption guidance
• Provide technical security consultation and assessments for cloud environments and containers, with an emphasis on following best practices and conducting comprehensive technical analysis
• Collaborate with WAHBE DevOps Team to integrate application security into CI/CD pipeline as part of SSDLC and enforce security in deployment workflows
• Assist in maintaining and updating WAHBE Security policies, procedures, and standards ensuring ongoing SSDLC adoption
• Collaborate with internal stakeholders, vendors, and external partners to ensure security integration and ongoing compliance, maintaining synchronization with the Security objectives
• Assist Application Security Lead in reviewing existing security capabilities and assist in defining roadmap and strategy for security enhancements
• Provide regular briefings to Application Security Lead and Information Security Manager (ISM), escalating issues and blockers as necessary
• Provide technical guidance on secure development and vulnerability management activities
• Stay current on industry trends, emerging threats, and relevant technologies, and communicate key insights to the Application Security Lead
• Perform other duties as assigned within the scope of application security

Qualifications

Required:

• Seven (7) years of information security experience in specialized roles such as, but not limited to security architecture and design, security control implementation penetration testing, application security, vulnerability management, incident response
• Demonstrated knowledge of secure SDLC, secure architecture design, application security concepts, and cloud- architecture including DevSecOps practices and shift-left security integration
• Experience performing application security code reviews, roles and permissions matrix reviews, and practical application risk assessments, including manual and automated secure code reviews
• Experience working with common vulnerability assessment tools such as Nessus, Rapid7, Nmap, and Burp Suite, including Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and Software Composition Analysis (SCA) tools
• Advanced understanding of emerging cybersecurity threats, including application-layer attacks, API abuse, and software supply chain vulnerabilities
• Strong analytical and problem-solving skills with the ability to "think outside the box"
• Experience integrating security in infrastructure-as-code, CI/CD pipelines, and the software development lifecycle, including implementation of automated controls and continuous monitoring and security gates and pipeline enforcement policies
• Demonstrates strong interpersonal and collaboration skills, effectively partnering with internal management, staff, and cross-functional teams as well as external partners and vendors

Desired:

• Bachelor's degree in engineering, security or a technology related or closely allied field
• Experience working with application security methodologies such as OWASP
• Demonstrated experience in information security, data security, privacy, and data management, including secure handling of Personally Identifiable Information (PII), application-level encryption, and key management
• Experience defining secure architectural requirements, security controls, and configuration standards in compliance with regulatory requirements
• Experience working with threat modeling frameworks such as STRIDE and MITRE ATT&CK, including application-specific threat modeling, attack path analysis, and abuse case analysis
• Experience developing, reviewing, and updating security standards, procedures, awareness and training, including secure coding standards and developer training programs
• Demonstrates a solid understanding of the functions and operations of Security Information and Event Management (SIEM) systems, Endpoint Detection & Response
• Demonstrated experience in managing cyber incident response, including coordination with development teams for rapid patching and hotfix deployment
• Advanced understanding of emerging cybersecurity threats, including application-layer attacks, API abuse, and software supply chain vulnerabilities

Supplemental Information

APPLICATION INSTRUCTIONS

This position will be open until we find a suitable number of candidates to review. If interested, please submit an application (CLICK HERE) as soon as possible. The Exchange reserves the right to close the recruitment at any time.

SALARY INFORMATION

Full Salary Range: $98,842.00 to $148,263.00 annually, with midpoint at $123,552.00.

Hiring Range: $113,668.00 and $123,552.00 annually. This is an estimate of where a qualified candidate can expect to receive an offer.

The actual salary offer will consider candidate experience, skills, qualifications, internal equity, and the market. Our compensation policy reserves the salary range above the midpoint for employees who are meeting and exceeding expectations and for growth and development, up to the maximum.

BENEFITS

Take a peek at our benefits package.

WORKING CONDITIONS

Core business hours are 8:00 a.m. to 5:00 p.m., Monday through Friday. There are times where irregular hours will be required. The preferred duty station is our Olympia, Washington headquarters. The nature of this role relies heavily on remote and in-person collaboration. While a hybrid remote and on-site schedule may be considered, the position will require flexibility to allow for in-office availability as business needs dictate. Travel requirements will be limited, however there may be occasions where an employee is required to travel and work irregular hours to attend meetings or trainings. Duties of this position require the use of standard office furniture and equipment, including setup for remote work. The employee is responsible for providing and maintaining a safe, ergonomic, and secure workspace at their remote location.

The working conditions and physical demands are representative of those that must be met by an employee to successfully perform the essential functions of this job. Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions.

SPECIAL REQUIREMENTS

A criminal background screen will be conducted for candidates under final consideration, and if hired, every five years of employment where highly sensitive data is processed or maintained by the position. The result of this background screen must meet the Exchanges eligibility standards.

OTHER INFORMATION

The above statements are intended to describe the general nature and levels of work being performed. They are not intended to be construed as an exhaustive list of responsibilities, duties and skills of personnel so classified.

This is not an employment agreement or contract. Management has the exclusive right to alter this job description at any time without notice.

The Washington Health Benefit Exchange is an Equal Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, age, marital status, sex, sexual orientation, gender identity, national origin, disability or protected veteran status.

We participate in E-Verify. You can view the Department of Justices Right to Work poster here.

More than Just a Paycheck!

Employee benefits are not just about the kind of services you get, they are also about how much you may have to pay out of pocket. Washington State offers one of the most competitive benefits packages in the nation.

We understand that your life revolves around more than just your career. Like everyone, your first priority is ensuring that you and your family will maintain health and financial security. Thats why choice is a key component of our benefits package. We have a selection of health and retirement plans, paid leave, staff training and other compensation benefits that you can mix and match to meet your current and future needs.

Read about our benefits:

The following information describes typical benefits available for full-time employees who are expected to work more than six months. Actual benefits may vary by appointment type or be prorated for other than full-time work (e.g. part-time); view the job posting for benefits details for job types other than full-time.

Note: If the position offers benefits which differ from the following, the job posting should include the specific benefits.

Insurance Benefits

Employees and their families are covered by medical (including vision), dental and basic life insurance. There are multiple medical plans with affordable monthly premiums that offer coverage throughout the state.

Staff are eligible to enroll each year in a medical flexible spending account which enables them to use tax-deferred dollars toward their health care expenses. Employees are also covered by basic life and long-term disability insurance, with the option to purchase additional coverage amounts.

To view premium rates, coverage choice in your area and how to enroll, please visit the Public Employees Benefits Board (PEBB) website. The Washington Wellness program from the Health Care Authority works with PEBB to support our workplace wellness programs.

Dependent care assistance allows the employee to save pre-tax dollars for a child or elder care expenses.

Other insurance coverage for auto, boat, home, and renter insurance is available through payroll deduction.

The Washington State Employee Assistance Program promotes the health and well-being of employees.

Retirement and Deferred Compensation

State Employees are members of the Washington Public Employees Retirement System (PERS). New employees have the option of two employer contributed retirement programs. For additional information, check out the Department of Retirement Systems web site.

Employees also have the ability to participate in the Deferred Compensation Program (DCP). This is a supplemental retirement savings program (similar to an IRA) that allows you control over the amount of pre-tax salary dollars you defer as well as the flexibility to choose between multiple investment options.

Social Security

All state employees are covered by the federal Social Security and Medicare systems. The state and the employee pay an equal amount into the system.

Public Service Loan Forgiveness

If you are employed by a government or not-for-profit organization, and meet the qualifying criteria, you may be eligible to receive student loan forgiveness under the Public Service Loan Forgiveness Program.

Holidays

Full-time and part-time employees are entitled to paid holidays and one paid personal holiday per calendar year.

Note: Employees who are members of certain Unions may be entitled to additional personal leave day(s), please refer to position specific Collective Bargaining Agreements for more information.

Full-time employees who work full monthly schedules qualify for holiday compensation if they are employed before the holiday and are in pay status for at least 80 nonovertime hours during the month of the holiday; or for the entire work shift preceding the holiday.

Part-time employees who are in pay status during the month of the holiday qualify for the holiday on a pro-rata basis. Compensation for holidays (including personal holiday) will be proportionate to the number of hours in pay status in the month to that required for full-time employment, excluding all holiday hours. Pay status includes hours worked and time on paid leave.

Sick Leave

Full-time employees earn eight hours of sick leave per month. Overtime eligible employees who are in pay status for less than 80 hours per month, earn a monthly proportionate to the number of hours in pay status, in the month to that required for full-time employment. Overtime exempt employees who are in pay status for less than 80 hours per month do not earn a monthly accrual of sick leave.

Sick leave accruals for part-time employees will be proportionate to the number of hours in pay status, in the month to that required for full-time employment. Pay status includes hours worked, time on paid leave and paid holiday.

Vacation (Annual Leave)

Full-time employees accrue vacation leave at the rates specified in WAC 357-31-165(1) or the applicable collective bargaining agreement (CBA). Full-time employees who are in pay status for less than 80 nonovertime hours in a month do not earn a monthly accrual of vacation leave.

Part-time employees accrue vacation leave hours in accordance with WAC 357-31-165(1) or the applicable collective bargaining agreement (CBA) on a pro rata basis. Vacation leave accrual will be proportionate to the number of hours in pay status, in the month to that required for full-time employment.

Pay status includes hours worked, time on paid leave and paid holiday.

As provided in WAC 357-58-175, an employer may authorize a lump-sum accrual of vacation leave or accelerate the vacation leave accrual rate to support the recruitment and/or retention of a candidate or employee for a Washington Management Service position. Vacation leave accrual rates may only be accelerated using the rates established WAC 357-31-165.

Note: Most agencies follow the civil service rules covering leave and holidays for exempt employees even though there is no requirement for them to do so. However, agencies are required to adhere to the applicable RCWs pertaining holidays and leave.

Military Leave

Washington State supports members of the armed forces with 21 days paid military leave per year.

Bereavement Leave

Most employees whose family member or household member dies, or for loss of pregnancy, are entitled to five (5) days of paid bereavement leave. In addition, the employer may approve other available leave types for the purpose of bereavement leave.

Additional Leave

Leave Sharing

Parental Leave

Family and Medical Leave Act (FMLA)

Leave Without Pay

Please visit the State HR Website for more detailed information regarding benefits.

Updated 01-07-2026

Employer State of Washington

Address View Job Posting for Agency Information

View Job Posting for Location, Washington, 98504

Website http://www.careers.wa.gov